Remove aes256-cts:normal from the supported_enctypes field of the kdc.conf or krb5.conf file.

Restart the Kerberos KDC and the kadmin server so the changes take effect.

The keys of relevant principals, such as Ticket Granting Ticket principal (krbtgt/REALM@REALM), might need to change.

Note: If AES-256 remains in use despite disabling it, it may be because the aes256-cts:normal setting existed when
the Kerberos database was created. To resolve this issue, create a new Kerberos database and then restart both the KDC and the kadmin server.

To verify the type of encryption used in your cluster:

For MIT KDC: On the local KDC host, type this command in the kadmin.local or kadmin shell to create a test principal:

kadmin: addprinc test

For Active Directory: Create a new AD account with the name, test.

On a cluster host, type this command to start a Kerberos session as test:

$ kinit test

On a cluster host, type this command to view the encryption type in use:

$ klist -e

If AES is being used, output like the following is displayed after you type the klist command (note that AES-256 is included
in the output):

If this documentation includes code, including but not limited to, code examples, Cloudera makes this available to you under the terms of the Apache License, Version 2.0, including any required
notices. A copy of the Apache License Version 2.0 can be found here.